Login Sign Up

CVE-2023-2829

7.5 HIGH
Denial of Service

📋 TL;DR

A vulnerability in BIND 9 DNS servers configured with DNSSEC validation and aggressive cache usage allows remote attackers to cause denial of service by sending specially crafted NSEC records. This affects organizations running vulnerable BIND versions as DNSSEC-validating recursive resolvers with specific configuration options enabled.

💻 Affected Systems

Products:
  • ISC BIND 9
Versions: 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1
Operating Systems: All operating systems running BIND
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when configured as DNSSEC-validating recursive resolver with 'synth-from-dnssec' option enabled

📦 What is this software?

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Bind by Isc

View all CVEs affecting Bind →

Bind by Isc

View all CVEs affecting Bind →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers can crash BIND DNS servers, causing complete DNS resolution failure for dependent systems and services.

🟠

Likely Case

Targeted DoS attacks against vulnerable DNS resolvers, disrupting DNS services for networks relying on them.

🟢

If Mitigated

Minimal impact if servers are patched or not using the vulnerable configuration options.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malformed NSEC records to vulnerable resolvers

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BIND 9.16.42-S1, 9.18.16-S1, and later versions

Vendor Advisory: https://kb.isc.org/docs/cve-2023-2829

Restart Required: Yes

Instructions:

1. Download patched BIND version from ISC website
2. Stop BIND service
3. Install updated package
4. Restart BIND service
5. Verify service is running

🔧 Temporary Workarounds

Disable synth-from-dnssec

all

Disable the aggressive DNSSEC cache usage option that triggers the vulnerability

Edit named.conf and remove or comment 'synth-from-dnssec yes;' line

🧯 If You Can't Patch

  • Disable synth-from-dnssec option in BIND configuration
  • Implement network controls to restrict DNS queries from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check BIND version with 'named -v' and verify configuration contains 'synth-from-dnssec yes;'

Check Version:

named -v

Verify Fix Applied:

Verify BIND version is 9.16.42-S1 or 9.18.16-S1 or later with 'named -v'

📡 Detection & Monitoring

Log Indicators:

  • BIND process crashes
  • Unexpected termination messages in system logs
  • Increased error logs related to NSEC processing

Network Indicators:

  • DNS resolution failures
  • Increased malformed DNS queries to resolvers

SIEM Query:

source="bind" AND ("crash" OR "terminated" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2023-2829
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: June 21, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON